Common Topics

Behrang Fouladi and Sahand Ghanoun took a long hard look at Z-Wave for their presentation at last week's Black Hat hacking conference in Las Vegas. The wireless standard dominates home-automation in the US, but the pair discovered some worrying flaws.

Not only were they able to switch off a motion sensor with a relatively simple replay attack, but they also managed to take control of a wireless door lock by supplanting the proper control centre, potentially allowing a burglar to walk right in and make himself comfortable.

The Z-Wave specifications are only available to paying customers after they've signed the non-disclosure agreement, which makes analysis of the standard difficult by preventing open discussion of potential flaws. It also makes manufacturers lazy in their implementations, which proved crucial to the success of the hack.

Before Fouladi and Ghanoun could find any vulnerabilities, the researchers had to work out how the security was supposed to work, a challenge in itself. There's very little open-source code available for the unpublished standard, but by extending the OpenZ-Wave toolkit the pair were able to analyse over-the-air communications with a motion sensor and discovered it was vulnerable to a simple replay attack.

Even without understanding the protocol the pair just captured the legitimate signal sent to deactivate the sensor, perhaps by lurking near a target's house, then played back the recorded series of wireless packets to successfully switch off the sensor.

That shouldn't be possible - replay attacks are the most basic of penetrative techniques and any modern system should be immune to them, but for some reason the tested Z-Wave sensor wasn't.

More formidable was a Z-Wave door lock, as it should be. Commands sent to the lock from the network controller are encrypted using AES128, well beyond the reach of all but the best-funded government agencies, but as is so often the case it's the implementation, not the encryption, that proved to be flawed.

Raise your hand when you spot the non-deliberate mistake

An automated home will have a single Z-Wave network, operating in the low-frequency industrial, scientific and medical (ISM) band (868MHz in Europe and 908MHz in the US), and each network is secured with a unique network key.

That network key is created by the device that appoints itself as network controller (normally a home hub of some sort) and distributed to other devices when they join the network, encrypted using a global key hard coded onto every Z-Wave device.

Cryptographers should be blanching at that statement, fully aware that any shared secret is a vulnerability that won't stay secret for long. The Z-Wave global key is only used during network setup – meaning it is of no value to anyone attacking an established network even if it remains a concern in some circumstances. But it turns out the global key isn't necessary to hijack at least one model of lock.

When the lock is first set up, and receives the network key from the controller, the user is required to press a physical button on the bottom of the keypad to acknowledge the new device. But once installed the lock can reconnect to a controller (say, after a battery failure) without user interaction, and it turns out that it isn't very picky about the network controller to which it connects.

Our attacker just identifies a lock on the network and sends it a new network key from his own network controller; the fickle door lock happily forgets its previous attachment and stands ready to respond to new commands, suitably encrypted using the new key, such as "open the door, please".

Speaking to El Reg, the hacker team declined to name the manufacturers of the lock and the sensor, but said they'd both been informed and both had claimed the flaws were rare implementation errors and that they would shortly be fixed. Fouladi and Ghanoun aren't convinced.

More testing is needed, but the pair's hypothesis is that both companies are using example code provided in the Z-Wave software development kit, and that the example code is intended to be just that - an example not to intended for use in actual products. Without seeing the kit it's hard to be certain, and the Z-Wave Alliance (which maintains and sells the SDK) is apparently working on a new revision, but didn't respond to our inquiries on the matter.

Fouladi and Ghanoun will demonstrate all this again in London at 44Con in September. And, lest we forget, security through obscurity has, yet again, arguably proved to be worse than no security at all. ®